On Wed, Jul 03, 2024 at 03:24:18PM +0000, Chuck Lever III wrote: > I'm also concerned about applications in one container being > able to reach around existing mount namespace silos into the > NFS server container's file systems. Obviously the NFS protocol > has its own authorization that would grant permission for that > access, but via the network. Yes. One good way I could think is to use SCM_RIGHT to duplicate a file descriptor over a unix socket. For that we'd need a way to actually create that unix socket first and I also don't think we currently have support for using that in-kernel, but it's a well-known way to hand file descriptors to other processes. A big plus would be that this would even work with non-kernel servers (or event clients for the matter) as long as they run on the same kernel (including non-Linux kernels).
